Security Restrict Permissions help needed

ASmyth · March 21, 2019, 1:18am

I have set up a Server Action to list all the users in my database and I am populating a dropdown with the data. It works insofar as I get a list of all the users.

What I am having trouble with is restricting access to just my ‘Super Admin’ user group. I am using a two table system - one for users and one for groups. A user can be in multiple groups. Regardless of what I set in the “Restrict Properties, permission” box I can always get the list of users if I am logged in.

This is my setup for the Security Restrict:

This is my setup for my permissions:

It is my understanding that this set up should produce the following MySQL query for a user with the identity of 10:
SELECT * FROM users JOIN tbl_group_members ON users.id = tbl_group_members.user_id WHERE user_id = 10 AND group_id = 1

In my database this returns no records (user 10 is not a Super Admin) - my assumption was that this would cause the query to not be run or returned. However I still get a full response of all the records I asked for.

I have tried multiple combinations of users in the group, not in the group, user not in the groups table or user table etc and they all return all the records requested as if user 10 is a Super Admin. The only time that does not happen is when I am logged out.

Any thoughts any one about what I am missing here?

ben · March 21, 2019, 1:38am

Please have a look at https://community.wappler.io/c/docs/security-and-login, in particular the section called Getting Details of the Logged In User and Binding them to your page

If you still have a problem, please come back here.

ASmyth · March 21, 2019, 1:57pm

Hey Ben, my explanation may not have been clear - but I don’t think what you linked to is my problem. I have successfully worked through most of the tutorials for Wappler and been able to get my app up and running.

The problem is that there only seem to be two levels of access - logged in or logged out. When I am logged in the group membership table has no effect on the data returned. What I want is to be logged in and only get data returned if the user is a member of a particular group.

ben · March 21, 2019, 3:41pm

I had a faint suspicion that I had not grasped the essence of your question. Therefore I’ll try again.

In the users table, you undoubtedly have a column named UserLevel or similar. When a user logs in using the procedure in the second link, all of the inforation regarding that user is available, including the UserLevel. In App Connect, you can use that information to show or hide contents as I have done by

dmx-show="scUser.data.qryUsers[0].UserLevel=='Admin'"

Hopefully this will help.

ASmyth · March 21, 2019, 4:08pm

I have followed this tutorial previously and it all works great for me. So let me expand a little more about what I am trying to accomplish.
I am creating an Admin page. On the admin page I want to be able to display a dropdown menu that lists all of the users of my app - so every user listed in the ‘users’ database table. I can successfully do this.

What I can’t do is prevent that list from populating for anyone who is logged in. So User 1 is in the ‘Super Admin’ group and ‘User 2’ is not. Even when I set the permission in ‘Security Restrict’ (like the image above) to Super Admin - both User 1 and User 2 can see the list.

Sure, I can hide it on the client side but that doesn’t make it secure - just hidden. Changing the permission in Security Restrict currently makes no difference to who can see the data.

FYI: I use an id number rather than a text string for the group identification but this shouldn’t change the principal. group_id #1 is the Super Admin group.

ASmyth · March 21, 2019, 11:00pm

I have accomplished what I need now but had to add a condition that utilizes a database lookup instead of the security restrict function.

If anyone can write a tutorial about Security restrict and groups using the two table method that would be great because I have spent hours on it and can’t figure it out.

I did watch this video by @Hyperbytes about it but it is not a full tutorial and doesn’t show the process in action. At 5:21 he asks a question but doesn’t ever show the last part of the process functioning in conjunction with Security Restrict.

ben · March 22, 2019, 12:40am

Have a look at https://www.youtube.com/watch?v=-xIdr1zoCaU&list=PLUjqTJN3byC9gPAJQn6Z5F6YEa3y-CAsC&index=8&t=3s

ASmyth · March 25, 2019, 9:29pm

I have been playing around with Security Restrict for a few days and I can’t get it to function how I think it should. It is possible that it is not supposed to do what I want it to but I would like to verify this.

I have followed this tutorial by @George and it works great. What doesn’t work is when I try to go beyond the tutorial and restrict the data to a group with a condition on it - something more restrictive than ‘All Logged in’.

I have set up a test connection to my database and am listing all the records from a single table - a simple ‘select id, email from users’ query. When I use Security Restrict on the server action to only show the information to a logged in user it works as expected. When I am logged in I can see the data - when I am logged out I can’t.

However, when I try to add the groups table to the Security Provider and set conditions it has no impact at all. I am pretty sure I have it set up correctly (see the images in the first post of this thread) but to look a little deeper I logged all the Select queries on my DB and I don’t see any query checking to see what groups the user is in when they try to access the data. If this is not happening how can the Security Restrict know who to grant or restrict access to?

I believe that something is not working with Security Restrict but would love someone to show me where I am going wrong. A simple tutorial about how to restrict the data using a groups table would be great (I can’t find one).

ASmyth · March 26, 2019, 2:05pm

I have looked at that video series and have not been able to find anything relevant to the problem that I am having but it is possible that I just missed it.

zitroware · August 2, 2019, 3:40am

Hi @ASmyth, were you able to make this work? I am also trying to use user groups to assign permissions to. Right now I have reverted to assigning to users instead but using a third table, i.e. the user+privilege map table (where user ids and privilege ids are in one table with foreign keys to the user table and privilege table). I would like to make the user groups assignment work with permissions.

scott · August 2, 2019, 10:10am

@ASmyth,

I am a little confused because I do not see what you are seeing on my site.

I created a test page that has two server connects on it. One with no security restrict and one with a security restrict. The one that has a security restrict is restricted to the admin level.

When I ran the page by being logged into a regular user, I see my user name listed (retrieved from the public server connect) and I get a forbidden error for the drop down box (retrieved from the restricted server connect)
restrict-1
restrict-2
This is the way it Security Restrict should work.

In my site, users can have multiple permissions, so I added another non-admin permission level on my test user with the same result (Forbidden).

I then added my admin permission on my test user and the forbidden was removed and replaced with the server connect results.

Security Restrict works for me. Users who do not have the adequate permission are not able to see the data retrieved from the database.

scott · August 2, 2019, 10:12am

For an admin page, I would combine Security Restrict on the server action side with Security Enforcer on the App Structure side.

Teodor · April 1, 2020, 8:48am

2 posts were split to a new topic: Security provider issues

Teodor · April 1, 2020, 10:16am

A post was merged into an existing topic: Security provider issues